Epsilon Data Breach Hits Banks, Retail Giants

Marketing company Epsilon is reporting a data breach
that could affect the email addresses of thousands of customers of major banks, retail and hotel chains.

Epsilon,
a large email marketing services company with a roster of A-list clients,
reported a data breach that is impacting practically anyone who has ever signed
up to receive a retail offer or alert through its email account. The company
warned that thieves may use the information to launch a phishing campaign to
trick users into disclosing more critical data.
On
March 30, Epsilon detected "an unauthorized entry" into its email
system. During this time, a subset of clients' customer data was exposed. Epsilon
only has the information of people who opted-in to receive marketing emails,
and the theft was limited to email addresses and customer names, according to
the company.

"A
rigorous assessment determined that no other personal identifiable information
associated with those names was at risk. A full investigation is currently
underway," Epsilon said in a terse statement on April 1.

No
industry segment appears to have been spared. Epsilon has been updating its
list of affected companies as it continues its investigation into the breach.
As of April 3, the list included financial services institutions such as
Capital One, US Bank, JPMorgan Chase, Citi and Barclays Bank of Delaware.
However, the only Barclays Bank of Delaware
customers affected were the ones who have an LL Bean Visa card.
In
addition to the banks, other impacted companies included hotel brands
Ritz-Carlton Rewards and Marriott Rewards, and retail heavyweights Home
Shopping Network, Walgreens, Brookstone, New York & Company and Kroger.
TiVo is also included in this list.
McKinsey,
The College Board and Disney Destinations were also part of the confirmed list.

"Please
be careful of phishing scams via email. Statement from Citi for our valued
Customers regarding Epsilon & email," financial giant Citi warned its
customers in a post on Twitter.
As
breaches go, the amount of information exposed is very limited. TiVo assured
customers in an email to its customers that their "service and other
personally identifiable information" were not at risk. Marriott Rewards
customers received similar reassurances, as only email addresses were stolen,
and passwords, credit card information, member addresses and point balances
remained safe. Other affected clients sent out similar messages over the
weekend, and more are expected as Epsilon continues its investigation.
"Epsilon
has advised us that the files that were accessed did not include any customer
information other than email addresses," used books retailer AbeBooks
wrote in a message to customers on April 3.
Even
so, customers should "exercise extreme caution," as email addresses
are all cyber-criminals need to initiate a phishing attack. Users can expect to
see more spam, and should be vigilant about email offers that ask for personal
information or have links to other sites that ask for personal information.
Many
of these phishing attacks tend to take the form of security alerts-informing
users that their accounts have been compromised and they should verify their
log-in credentials to reset their accounts-or direct marketing scams promising
special deals that require a credit card number.
Citi
reminded users that all legitimate messages from the bank use "an Email
Security Zone" to authenticate the messages. "Customers should check
the Email Security Zone to verify that email they have received is from Citi
and reduce the risk of personal information being phished," according
Citi.
There
have been at least three major incidents involving stolen email lists in recent
months. TripAdvisor
informed users of a breach affecting their email addresses on March 24, and Play.com
said March 27 it was affected by the Silverpop data breach announced in
December. The Silverpop incident affected only a subset of its clients, which
included McDonald's, American
Honda Motor and DevianART.
As
the world's largest permission-based email marketing services, Epsilon has more
than 2,500 clients and sends more than 40 billion emails annually. The
Dallas-based subsidiary of Alliance Data Systems works with some of the biggest
brand names across all industries. The company manages the customer email database
and communications for its clients.